Stefan Viehböck of SEC Consult Vulnerability Lab found backdoors in almost all Barracuda appliances, reporting them to the vendor back in November. He found the boxes were preconfigured to accept secure shell (SSH) connections from a set of pre-defined user accounts from a list of IP ranges, according to Viehböck.

Barracuda Networks backdoors

There were two security problems with this. First, the passwords needed to access those user accounts were not difficult to find or crack, Viehböck said. He claimed to have cracked a number of passwords relating to backdoor accounts called “product”, “support”, “ca” and “websupport”. For the “product” account, he was able to get a shell to run on the appliance and could access the MySQL database to add new users with administrative privileges to the appliance configuration.

Barracuda had created those accounts to update products or provide support. But the researcher found a further problem. He noted that the appliance network filtering on Barracuda kit was allowing access via SSH from those user accounts only if they came from whitelisted IP ranges, both public and private.

That would be acceptable if it was only Barracuda sitting on the public IP range. But here’s where things get sticky: “Public ranges include servers run by Barracuda Networks Inc. but also servers from other, unaffiliated entities – all of whom can access SSH on all affected Barracuda Networks appliances exposed to the Internet.” That means anyone in the public IP range could have been spying on users of Barracuda gear, which includes major corporations and government entities.

“Our research has confirmed that an attacker with specific internal knowledge of the Barracuda appliances may be able to remotely log into a non-priveleged account on the appliance from a small set of IP addresses,” Barracuda noted in its advisory, saying the threat was only of “medium” severity.

“The vulnerabilities are the result of the default firewall configuration and default user accounts on the unit.”

Although Barracuda issued a patch, which saw backdoor accounts updated to include logins protected with public key infrastructure, Viehböck claimed the account “root” could still have its password hacked, as it hadn’t been given the additional protection.

“This still leaves considerable risks to appliances as the password for the ‘root’ user might be crackable and the relevant private keys for the ‘remote’ user might be stolen from Barracuda Networks,” Viehböck added.

“In secure environments it is highly undesirable to use appliances with backdoors built into them. Even if only the manufacturer can access them.”

Viehböck found another flaw, which he said could allow an attacker to disable security on Barracuda’s SSL VPN product. “By setting of Java System Properties an unauthenticated attacker can disable various security mechanisms and thus gain access to an internal API. Among other functions, an attacker can set passwords for admin accounts,” he wrote.

Barracuda, which recently saw its founder and CEO Dean Drako depart, has issued a fix for that problem too.

UPDATE: Barracuda Networks’ vice president for product management Steve Pao sent across the following startement: “The specific discovery was related to access from the default, limited set of IP addresses used by the system to initiate remote support tunnels to Barracuda Technical Support. We have released a security definition to existing Barracuda Networks appliances that minimizes potential attack vectors. Individual customers should contact Barracuda Networks Technical

“Support if they need more information. As we do with all issues reported through our ‘Bug Bounty’ program, we have acknowledged the SEC Consulting’s reporting of the issues in both the release notes with our security definition and on the Tech Alerts section of our website.”

Small and midmarket organizations depend on their data as much as large enterprises depend on theirs—but the right tools for protecting a smaller organization’s data are not enterprise tools with reduced feature sets and price tags. Organizations of all sizes need to understand their exposure caused by mediocre protection, and then utilize “right-sized” technologies that […]

Shifting SMB IT and Storage Requirements This report describes how the HP Simply StoreIT program and HP MSA Storage can help small and midsized businesses (SMBs) reduce costs and improve operations by quickly and easily adding storage that is optimized for server virtualization to their IT infrastructure deployments.

You are likely faced with both increasingly demanding users and increasingly complex infrastructure requirements. At the same time, you are probably being asked to reduce IT costs without the help of added headcount. Are there times when this feels like an impossible mission?

The network security paradigm is currently shifting toward a new reality as advanced hacking methods become more prevalent and harder to detect. An example of such a method is advanced evasion techniques (AETs). Although evasions have been documented extensively in the last 15 years, security vendors have systematically ignored the significance of evasions. Some vendors […]